To: 


Of: 


İCO. 


Information Commissioner's Office 


DATA PROTECTION ACT 1998 


SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER 


ENFORCEMENT NOTICE 


Saga Personal Finance Limited 


Enbrook Park, Sandgate, Folkestone, Kent CT20 3SE 


The Information Commissioner (“the Commissioner”) has decided to 
issue Saga Personal Finance Limited (“SPF”) with an enforcement 
notice under section 40 of the Data Protection Act 1998 (“DPA”). The 
notice is in relation to a serious contravention of Regulation 22 of the 
Privacy and Electronic Communications (EC Directive) Regulations 2003 
(“PECR”). 


This notice explains the Commissioner’s decision. 


Legal framework 


SPF, whose registered office is given above (Companies House 
Registration Number: 03023493) is the organisation stated in this 
notice to have instigated the transmission of unsolicited 
communications by means of electronic mail to individual subscribers 


for the purposes of direct marketing contrary to regulation 22 of PECR. 


Regulation 22 of PECR states: 


© 

ICO. 

Information Commissioner's Office 
"(1) This regulation applies to the transmission of unsolicited 


communications by means of electronic mail to individual 


subscribers. 


(2) Except in the circumstances referred to in paragraph (3), a person 
shall neither transmit, nor instigate the transmission of, unsolicited 
communications for the purposes of direct marketing by means of 
electronic mail unless the recipient of the electronic mail has 
previously notified the sender that he consents for the time being 
to such communications being sent by, or at the instigation of, the 


sender. 


(3) A person may send or instigate the sending of electronic mail for 


the purposes of direct marketing where— 


(a) that person has obtained the contact details of the recipient 
of that electronic mail in the course of the sale or 
negotiations for the sale of a product or service to that 


recipient; 


(b) the direct marketing is in respect of that person’s similar 


products and services only; and 


(c) the recipient has been given a simple means of refusing 
(free of charge except for the costs of the transmission of 
the refusal) the use of his contact details for the purposes 
of such direct marketing, at the time that the details were 
initially collected, and, where he did not initially refuse the 
use of the details, at the time of each subsequent 


communication. 


(4) A subscriber shall not permit his line to be used in contravention of 


paragraph (2).” 


10. 


© 

l C O e 

Information Commissioner's Office 
Section 122(5) of the DPA 2018 defines direct marketing as “the 
communication (by whatever means) of advertising material which is 
directed to particular individuals”. This definition also applies for the 


purposes of PECR (see regulation 2(2) PECR; and Schedule 19, 
paragraph 430 and 432(6) DPA18). 


Prior to 29 March 2019, the European Directive 95/46/EC defined 
‘consent’ as “any freely given specific and informed indication of his 
wishes by which the data subject signifies his agreement to personal 


data relating to him being processed”. 


Consent in PECR is now defined, from 29 March 2019, by reference to 
the concept of consent in Regulation 2016/679 (“the GDPR”): 
regulation 8(2) of the Data Protection, Privacy and Electronic 
Communications (Amendments etc) (EU Exit) Regulations 2019. Article 
4(11) of the GDPR sets out the following definition: “‘consent’ of the 
data subject means any freely given, specific, informed and 
unambiguous indication of the data subject's wishes by which he or 
she, by a statement or by a clear affirmative action, signifies 


agreement to the processing of personal data relating to him or her". 


“Individual” is defined in regulation 2(1) of PECR as “a living individual 


and includes an unincorporated body of such individuals". 


A “subscriber” is defined in regulation 2(1) of PECR as “a person who is 
a party to a contract with a provider of public electronic 


communications services for the supply of such services”. 


“Electronic mail” is defined in regulation 2(1) of PECR as “any text, 
voice, sound or image message sent over a public electronic 


communications network which can be stored in the network or in the 
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recipient’s terminal equipment until it is collected by the recipient and 


includes messages sent using a short message service”. 


The DPA contains enforcement provisions at Part V which are 
exercisable by the Commissioner. Those provisions are modified and 
extended for the purposes of PECR by Schedule 1 PECR. 


Section 40(1)(a) of the DPA (as extended and modified by PECR) 
provides that if the Commissioner is satisfied that a person has 
contravened or is contravening any of the requirements of the 
Regulations, she may serve him with an Enforcement Notice requiring 
him to take within such time as may be specified in the Notice, or to 
refrain from taking after such time as may be so specified, such steps 


as are so specified. 


PECR were enacted to protect the individual’s fundamental right to 
privacy in the electronic communications sector. PECR were 
subsequently amended and strengthened. The Commissioner will 
interpret PECR in a way which is consistent with the Regulations’ 
overall aim of ensuring high levels of protection for individuals’ privacy 


rights. 

The provisions of the DPA remain in force for the purposes of PECR 
notwithstanding the introduction of the Data Protection Act 2018 (see 
paragraph 58(1) of Part 9, Schedule 20 of that Act). 

The contravention 


The Commissioner finds that SPF contravened regulation 22 of PECR. 


The Commissioner finds that the contravention was as follows: 
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The Commissioner finds that between 14 December 2018 and 2 May 

2019 there were 2,745,777 direct marketing emails sent to subscribers 

on behalf of SPF by its Partner I, and HE Affiliates. Of those, it 

has been confirmed that 2,714,872 direct marketing emails were 


received by subscribers. 


Furthermore, between 29 November 2018 and 2 May 2019 there were 
28,676,526 direct marketing emails sent to subscribers on behalf of 
SPF by its Partner J, and J Affiliates. SPF was unable to 
confirm how many of those direct marketing emails were received, 
however its Partner I estimated that between 2 - 10% of ‘sent’ 
messages could be expected to be ‘undelivered’. The Commissioner 
therefore believes it is reasonable to suggest that 25,808,873 (i.e., 
90% of the total number of messages sent by J and its Affiliates) 


could be expected to have been received by subscribers. 


The Commissioner finds that SPF instigated the transmission of the 


direct marketing messages sent, contrary to regulation 22 of PECR. 


SPF, as the instigator of the direct marketing, is required to ensure that 
it is acting in compliance with the requirements of regulation 22 of 
PECR, and to ensure that valid consent to send those messages had 


been acquired. 


During this investigation it has been proposed that the 
Partners/Affiliates would be the instigators of the direct marketing 
rather than SPF itself. The Commissioner does not agree with this 
interpretation of the situation. Whilst the Partners/Affiliates clearly 
‘sent’ the direct marketing communications under contract, those 
communications included content drafted by SPF. Without SPF’s 
involvement and positive encouragement, those communications would 


not have been sent. 
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In any event, even if SPF were to maintain that its partners were the 
instigators of this direct marketing, it is clear that the legislation is 
worded in such a way that regulation 22 PECR is capable of covering 
more than one person/organisation involved in either the transmission 


or the instigation of that transmission. 


It is noted that SPF relied on ‘indirect consent’ for its direct marketing, 
i.e., where the intended recipient had told one organisation that he/she 
consents to receiving marketing from other organisations. The 
Commissioner’s direct marketing guidance says “organisations need to 
be aware that indirect consent will not be enough for texts, emails or 
automated calls. This is because the rules on electronic marketing are 


stricter, to reflect the more intrusive nature of electronic messages.” 


However, it does go on to say that indirect consent may be valid, but 
only if it is clear and specific enough. Consent is not likely to be valid 
where an individual is presented with a long, seemingly exhaustive list 
of categories of organisations; indeed, under the GDPR this 
requirement goes further and states that even precisely named 


categories of third parties will not be acceptable. 


Furthermore, for consent to be valid it is required to be “freely given”, 
by which it follows that if consent to marketing is a condition of 
subscribing to a service, the organisation will have to demonstrate how 


the consent can be said to have been given freely. 


Consent is also required to be “specific” as to the type of marketing 
communication to be received, and the organisation, or specific type of 


organisation, that will be sending it. 


Consent will not be “informed” if individuals do not understand what 


they are consenting to. Organisations should therefore always ensure 
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that the language used is clear, easy to understand, and not hidden 
away in a privacy policy or small print. Consent will not be valid if 
individuals are asked to agree to receive marketing from “similar 
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organisations”, “partners”, “selected third parties” or other similar 


generic description. 


The Commissioner is therefore satisfied from the evidence she has 
seen that SPF did not have the necessary valid consent for the 


28,523,745 direct marketing messages received by subscribers. 


The Commissioner has considered, as she is required to do under 
section 40(2) of the DPA (as extended and modified by PECR) when 
deciding whether to serve an Enforcement Notice, whether any 
contravention has caused or is likely to cause any person damage or 
distress. The Commissioner has decided that it is unlikely that damage 


or distress has been caused in this instance. 


In view of the matters referred to above the Commissioner 
hereby gives notice that, in exercise of her powers under 
section 40 of the DPA, she requires SPF to take the steps 


specified in Annex 1 of this Notice 


Right of Appeal 


There is a right of appeal against this Notice to the First-tier Tribunal 
(Information Rights), part of the General Regulatory Chamber. 


Information about appeals is set out in the attached Annex 2. 


Dated the 13* day of September 2021 


Andy Curry 

Head of Investigations 
Information Commissioner’s Office 
Wycliffe House 

Water Lane 

Wilmslow 

Cheshire 

SK9 5AF 
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ANNEX 1 


TERMS OF THE ENFORCEMENT NOTICE 


SPF shall within 30 days of the date of this notice: 


Except in the circumstances referred to in paragraph (3) of 
regulation 22 of PECR, neither transmit, nor instigate the 
transmission of, unsolicited communications for the purposes of 
direct marketing by means of electronic mail unless the recipient of 
the electronic mail has previously notified SPF that he clearly and 
specifically consents for the time being to such communications 


being sent by, or at the instigation of, SPF. 
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ANNEX 2 


RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER 


L. Section 48 of the Data Protection Act 1998 gives any person upon 
whom an enforcement notice has been served a right of appeal to the 
First-tier Tribunal (Information Rights) (the “Tribunal”) against the 


notice. 
2. If you decide to appeal and if the Tribunal considers: - 


a) that the notice against which the appeal is brought is not in 


accordance with the law; or 


b) to the extent that the notice involved an exercise of discretion by 
the Commissioner, that she ought to have exercised her 


discretion differently, 


the Tribunal will allow the appeal or substitute such other decision as 
could have been made by the Commissioner. In any other case the 


Tribunal will dismiss the appeal. 


3: You may bring an appeal by serving a notice of appeal on the Tribunal 


at the following address: 


General Regulatory Chamber 
HM Courts & Tribunals Service 
PO Box 9300 

Leicester 

LE1 8DJ 


Telephone: 0203 936 8963 
Email: grc@justice.gov.uk 
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e The notice of appeal should be served on the Tribunal within 28 


days of the date on which the enforcement notice was sent 


The statutory provisions concerning appeals to the First-tier Tribunal 
(General Regulatory Chamber) are contained in sections 48 and 49 of, 
and Schedule 6 to, the Data Protection Act 1998, and Tribunal 
Procedure (First-tier Tribunal) (General Regulatory Chamber) Rules 
2009 (Statutory Instrument 2009 No. 1976 (L.20)). 


